Demo: Agentic shopping – and agentic fraud detection – in action

The era of agentic commerce is upon us, and yet few have conducted – or even seen – a single fully agentic shopping journey.

The landscape may be changing rapidly but the latest research posits that only 17% of shoppers globally say they are ready to let an AI agent fully handle their shopping journeys, including the payment – and those who have actually done so are even fewer. Skepticism aside, it’s fair to say that, at the moment, everyone seems to be talking about AI agents much more often than they are using AI agents to shop.

But how can we prepare for agentic without first understanding agentic? It’s time to address that, as well as show how fraudsters may use an AI agent to harm a merchant.

Welcome to Ravelin’s in-depth agentic commerce demo.

What is RavSwag? Ravelin's agentic demo

The majority of consumers around the world have not yet experienced agentic commerce. At Ravelin, we wanted to change that. So, at the latest RavCon 26 summit in London, the Ravelin team prepared the “RavSwag” demo.

RavSwag is a live web-based eshop set up to allow RavCon attendees to shop online using a custom shopping agent or ChatGPT, pushing through real transactions using demo card details – effectively conducting end-to-end agentic transactions. After ordering Ravelin swag using legitimate AI agent requests, they then picked up their selected items from the RavSwag booth: Ravelin socks, chocolate or T-shirts, all prepared specially for RavCon 26 attendees.

We were also able to reveal how a nefarious AI agent can attempt checkouts with several stolen cards at once, as an example of how agents can be used for fraud – as well as how each of these transactions look on Ravelin’s Dashboard, illustrating how fraud prevention can answer the risks posed by agentic commerce-related fraud.

Note that although it is accessible online, the RavSwag website is a demonstration tool only, put together to show how agentic AI commerce works. It can not be used by the wider public to order products.

How does an agentic transaction work?

Plenty of consumers ask Large Language Models (LLMs) such as ChatGPT and Gemini for recommendations on what to buy, review summaries, and feature comparisons.

But when we speak of agentic shopping, we are specifically referring to AI agents finding the product, assessing its suitability, and buying it for the user. This can be done via agentic protocol integration or by having the agent simulate a human’s actions in an online shop, clicking where needed to complete the purchase.

Agentic commerce can be human-present, as it tends to happen today, with the cardholder authenticating themselves within the AI app in order to complete checkout, or human-not-present, with the AI itself being able to handle payments and authentication on the user’s behalf.

The specifics of how this is done depend on the protocols used. At the time of writing, human-not-present agentic shopping is fairly theoretical rather than a practical reality. Let’s look at an agentic shopping journey in action using ChatGPT’s “agent” functionality.

Step 1: Prompting the AI

The user prompts ChatGPT’s agent, providing their requested item and the shipping details.

Step 2: AI browsing, selecting and preparing the purchase

In our example, ChatGPT provides a window for the shopper to see its movements as well as its reasoning.

The AI takes action, navigating to the online shop, finding and selecting the requested product.

The user does not need to visit the eshop. They sit back and let ChatGPT take the reins.

Step 3: Details filled in

In addition to selecting the right item, ChatGPT is confirming whether the price is as promised.

Then, it populates the shipping address. The AI will even attempt to prevent errors when form-filling, and check what was prefilled is also correct.

Step 5: Card details

It is strongly discouraged for shoppers to enter their payment card details directly into ChatGPT prompts.

OpenAI instead recommends that users take over the agent when it’s time to enter card details, and fill them in themselves. Then, the user will click on “Finish controlling”.

Step 4: Order complete!

Once the user hands back control, the AI agent requests final user confirmation before completing the purchase. Once it's finalized, the agent confirms the order status and provides the reference number and any additional information.

How can fraudsters take advantage of agentic shopping?

Fraudsters are notorious early adopters of any technology that can help them gain more, hide better, and speed up or scale their operations. And AI agents can certainly help with some of this.

The possibilities are vast, and exist on several dimensions – including bad agents created and/or used by criminals to enable fraud, as well as good agents that could be hijacked, manipulated or otherwise commandeered. In fact, a nefarious agent can pretend to be a legitimate one and fool honest users into shopping from it, causing harm to both shopper and merchant. And you can even have a combination of a malicious agent and malicious user.

Note that these agents are able to do all this without being programmed to do so explicitly. They only need to be given an instruction by a fraudster to then figure out how to carry out their schemes.

As part of our agentic demo, we wanted to show just how easy it is for someone with bad intentions to create and deploy a bad AI agent against a shop – in our case, the RavSwag shop.

For this, the Ravelin team put themselves in fraudsters’ shoes. They thought: If I was a fraudster who wanted to take advantage of this brave new world, how would I go about it? I’d probably let AI do as much of my work as possible for me, including creating the agent in the first place.

So, wearing the hat of a fraudster, we used “vibe coding” – a verb that describes a method to develop software that relies on prompting AI in various ways instead of writing code manually. In vibe coding, anything that works is acceptable; you use trial and error to build software, constantly testing the output and tweaking it.
The result was the AI_AGENT_FRAUD_RUNNER pictured above. This software allows the fraudster to easily scale their operations by attempting to shop with stolen cards in bulk. In our screenshots, you’ll see four agents shopping in four different browser windows at the same time, but it can be dozens and dozens of browsers instead.

A real-life use case for this is card testing, for instance, where criminals buy long lists of stolen card credentials and need to test which ones still work before they use them for more elaborate schemes. Moreover, agents could circumvent the failsafes put in place to prevent bulk buying, enabling schemes such as ticket scalping or buying other limited edition items to resell for profit.

It took about an hour and just 300 lines of code to create this piece of fraudulent software – so you can imagine what a motivated criminal can do, even if they are not a proficient programmer. Looking more closely at how this fraud runner works, you can see the logs of what each of its sub-agents is doing, independently of each other.

Each of the agents selects the item, enters the card details, conducts a complete checkout and reports back to the criminal, who can monitor the progress from the log window.

The browser windows where each of the agents is working to make a purchase can also be visible and monitored, as seen below.

The agent can be set up to notify the fraudster when their shopping has completed. A more sophisticated version could output lists of cards that failed and those that succeeded, allowing for card testing.

What does agentic fraud prevention look like?

What does a fraud solution see when someone shops with an agent? The short answer is – it depends on the fraud solution. At Ravelin, we have made several agentic-related updates to our solutions, and continue to add more, aiming to both surface agentic-related data points and help our merchants implement efficient agentic fraud strategies.

The goal should be to identify the legitimate use of a shopping agent and tell it apart from fraudulent use of a shopping agent – as well as flagging illegitimate, unverified or hijacked agents.

Here is an example of what Ravelin’s Dashboard will show when you complete any of these agentic transactions:

An “Agentic order” label will show at the top of the Order page, along with a prominent box explaining that the order was facilitated by an AI agent.

We will also surface the name of the agent, the provider of the agent, whether the agent has been verified, and who provided that verification.

You can see all of this in the “Agent details” block at the bottom of the screenshot below:

If, on the other hand, an unverified, suspicious agent is spotted shopping with one of Ravelin’s merchants, this will also be flagged – not as a legitimate agent but as a bot. In addition to a bot label, you will see information on the bot’s type, category, score and more.

Although not every one of the rich data points and features we capture for human transactions will be available in the case of shopping agents, the combination of agentic fraud signals and the breadth of data and machine learning features Ravelin utilizes will flag any irregularities, providing a recommendation along with an explainable fraud score to better protect your company.

Setting policies & reporting

From there, we have already given merchants the ability to set their agentic commerce policies based on their risk appetite. For instance, in the screenshot below you can see a fraud rule being set to block all transactions that are attributed to ChatGPT where the agent verification has failed.

Ravelin’s platform also provides several agentic-focused reporting tools, giving merchants an accurate representation of their agentic commerce activity, including the popularity of each type of agent with their clientele and, qualitatively, the volume of agentic and bot transactions that have been legitimate or fraudulent.

Finally, to help combat the rising threat of refund abuse and opportunistic returns fraud, we also flag refund requests that are linked to an agentic order.

From there, you may wish to scrutinize more carefully such requests, or apply a different intervention.

How do custom shopping agents work?

Another way agentic commerce can work is through custom shopping agents. Our agentic commerce demo also showcases this option as an example of human-attended agentic shopping.

This is where the cardholder manually confirms the details of a transaction before it goes through, thus staying in control of the payment and using the agent to primarily automate and speed up their process.

Firstly, the shopper enters their details, along with instructions on what to buy.

The agent reads the instructions and starts taking the right steps on the shop.

You will also notice an “emergency stop” button below, which the user can press if they want to stop the sequence and take over at any time.

Once the agent has chosen the correct products and filled in all the details on the eshop, the AI prompts the shopper to enter their payment details to complete the transaction.

At this point, the shopper can double-check that the order is to their liking, and by clicking to confirm they are authenticating themselves as the cardholder.

The task is then complete. The benefits of an agentic shop of this type versus a fully automated end-to-end transaction is that accountability and liability are currently much clearer in the former. As the human shopper is called to review and approve the transaction, including adding their details, the liability can remain as it stands with traditional, human shopping – until the ecommerce and payments industry agrees on revised regulations and protocols to support other setups.

Summing up

In all of the use cases we saw above – both legitimate and fraudulent – the core functionality remains the same: An agent shops automatically while the user sits back, relaxes and finally receives information about the outcome of the shop. Depending on who is using any of these agents, the transaction can be legitimate or fraudulent.

It is up to the merchant – and their fraud solution – to assess whether the agent and the user have good or bad intentions. That’s where robust, proactive fraud defenses come into play.

Make sure the fraud solution you’re using is up to speed with the latest developments in agentic ecommerce. That it can tell good agents from bad agents. And that it surfaces the information you need to make the best possible decisions when it comes to your policies. Your bottom line will thank you for it.